In PHP prior to 8.1.32, 8.2.28, 8.3.19, and 8.4.5, the header check in check_has_header does not verify \r which could potentially lead to some misbehaviour if only \n is used in the header value. If this value is provided by user and not checked properly (e.g. it can be cookie value and it is not unlikely it could be taken from the user input (at least partially)), then it could specify it like for example Cookie: x=y\nauhtorization:x\r\n. If the URL has user part in it, then this can disable sending of that authorization header. That could potentially impact the result and lead potentially to DoS or potentially to some unexpected issues.